Let’s ban a product instead of solving the issue at hand… Seriously? I hate my country more and more as each day passes
The device only gives easy access to already extremely weak/non existent security systems. That’s literally it.
It’s just something that’s existed forever, but put into a convenient package and marketed well enough that suddenly normal people are realising how insecure their electronic systems actually are.
Kinda like how they used to make pacemakers hackable because they never thought to add any security at all. I bet many of them still don’t.
Anyway, the issue lies not with this device, which can’t “hack” anything with any actual security, the issue is with manufacturers making devices that literally leave the door wide open to anybody with an extremely basic electronic sniffer/cloner device.
deleted by creator
If the flipper can help you stealing a car, the flipper is not the problem, but the neglect and incompetence of the car company is.
Removed by mod
It’s called pretending to do something about the problem.
The way they get access is by amplifying a signal of a car key near the entrance to trick the car into thinking the key is nearby. Others do just pick the driver’s side lock. Then once inside, they connect to the vehicle and pair new keys so they can drive away in less than 10 minutes.
I’ve never understood the way modern cars just unlock without any button press, that seems really insecure. Some organized thieves probably aren’t even bothering with lock-picking and ignition hot-wiring these days as older cars would be low value to them. Oh and if a random crackhead really wanted something in the car they would probably just smash the window or pry the door anyway.
A solution would be a 24 hour lockout timer to program new keys. That would prevent mall jackings and be a small incovenience for repair shops to need to keep cars in the garage overnight.
Cars that unlock without pressing anything or by pressing a button on the door look for the key that is bound to them. It is secure in that only a key programmed to the car can tell the car it is ok to unlock. They keys are authenticated with a rolling code that is synced between a car and key when the key is programmed to the car. Thieves clone the key’s signal and then the car has no idea that the fake key is not the real key.
You can’t hotwire a modern car. On a modern pushbutton ignition car the starting function is allowed through a security module that makes sure the key is there before starting. Pushing the button only asks permission to start the car and then the module is the one that tells the car to start.
Lock-picking a modern car can be done, but it is far easier to use a wedge and inflatable air bag to pry the door open enough to use a hooked tool to open the door from the inside. Nobody picks automotive locks anymore, a lot of the door locks can be ripped out and bypassed anyways. You can of course just break the glass, but it may sound an alarm. The F150 has a massive theft issue Ford won’t bother to address, the alarm can be disabled from outside the car using no tools whatsoever.
Once a thief has access to the inside of the car, they can program a new fake key using specialized software which is usually dealer level software but it can be done using 3rd party software. You can’t just ban all non-dealers from having the capability to reprogram keys, that is user-repair hostile and would mean you have to pay whatever the dealer wants to replace a lost or damaged key. Not to mention that thieves will still find a way to access dealer tools and keep on stealing anyways.
A lockout period wouldn’t accomplish anything, the original key still gets cloned and can be used to drive the car away. Once the stolen car is taken, the thieves have all the time they want to reprogram a key.
Enhancing security measures by using a more secure key authentication method will only go so far as to preventing theft and will add considerable costs to cars and key replacement. Thieves will catch up to any means of securing cars. A better solution is to improve economic prospects and enforce the current laws effectively to remove incentive to steal cars.
Your points are all valid and I agree with your suggestions. I still think every hour of delay is important to try to track down the car before it gets out of the country…
So compare an easy to steal car with a keyed ignition, with a modern push to start car. I don’t drive now but I used to drive the former. It wouldn’t sell for much in a used market or criminal market. Being stolen for use in a crime it may be more useful on the other hand. I don’t know if thieves looking for easy marks would go for that car over one with more modern tech…
Auto theft for sale in a foreign market or domestic is uncommon and mostly dealing with valuable or rare cars and typically happens within a gas tank of a international boarder. More common is for breaking down and selling parts, but that is still not that typical. Most auto theft is for personal use and to commit crime. The breakdown of types of thefts changes with area, so in America personal use or crime is more common than Europe where chopping or foreign sale is more common.
Most turn-key ignition cars can’t be hotwired either, they have immobilizers that require a security chip authentication within the key. Most of the cars that can be hotwired are from before 2005, after that they get rarer. If it has an all metal key, those definitely can be hotwired.
When it comes to tracking, by the time the car is located it is done being used. Most cars do not have any form of tracking that is accessible to law enforcement with cooperation from manufacturers. Modern cars with tracking can have their GPS or cell network disabled by pulling the right fuse with no impact on the drivability of the car. Aftermarket trackers are harder to disable if they are installed correctly and can lead to a faster recovery if the police move fast enough. Once the car is taken and the GPS fuse is pulled, they can keep the car indefinitely without fear of getting caught via tracking. If an aftermarket tracker is used, they just need to have the car in a place that will block the signal for long enough to disable it and then move the car again fast enough. Cops move slow, you can tell the cops where it is right now and they may not attempt recovery for hours.
Since the majority of auto theft is just looking for a car to ditch, in America, the easier to steal the better and it doesn’t matter what the car is. F150s and Kia/Hyundai are the most popular now because they are easy to steal and common as dirt but grabbing a 2022 Honda that is left running or grabbing the keys from a driver are popular options.
Some cars have that already and have had it since like 98 iirc.
Then what’s the manufacturer’s excuse for not having them on current models? It would prevent the “one and done” type of attacks, there’s at least a chance that any setup gets caught on camera before the car is stolen later?
Ford still does have program timeout, like I said some cars have had it some haven’t and I can’t and moreover won’t try to explain anyone else’s feelings.
I understand. I’m upset at this but not trying to take it out on the messenger.
Car security is horrible
I bought a copying remote from aliexpress thinking “no way my car has a static code and not a rolling one… right?”
Nope, fuck you Kia, any stupid cheap remote from aliexpress can be used to copy keys from a surprising amount of cars.
Car security should improve and I hope this becomes a big enough issue that it get’s better regulated
deleted by creator
Yeah, but saving 1.50 per car improves some stupid business performance indicator, which respectively will get some manager a nice bonus.
deleted by creator
Ever since I first met the insanity that are business indicator numbers, I lost my believe in humanity. People knowingly hurt their companies effectiveness and prosperity just to improve those numbers. And they get rewarded for it.
I see how that might make sense to lawmakers. It does present itself as a problem. But the fact that it is a symptom of a security issue is the reason it shouldn’t be outright banned. I haven’t used the thing, but it has looked to me like a pretty snazzy multitool.
It’s like banning swiss army knives. I can see why it looks like it makes sense, but it really doesn’t.
It reminds me of a lawmaker in one of the flyover states that wanted to make it illegal to look at the source code of a website.
Think about this for a second.
And realize that this twat is writing laws.
I had not heard of that one. Was it the “internet is full of tubes” guy?
No, it was a few years back when a researcher found that there was a plain text file of county employee social security numbers just sitting inside the JavaScript of a government website.
There are too many Google results from the upcoming election for me to sort through but suffice it to say, the guy was a class A idiot.
Happened around 2021-10-15:
Missouri Gov. Mike Parson said that his administration is pursuing the prosecution of a local newspaper reporter who alerted the government to website security flaws.
It’s in the following sources, at least: TechCrunch, NPR, NY Times
It’s like banning swiss army knives
That’s why we went forth and banned everything swiss, army, or knive, altogether
Now I have to put holes in my own cheese using my own secret, illegal methods
Yes, this one right here, Mounties.
I’ve been watching flipper since it was announced. I should probably buy one and play with it.
All this is going to do is increase sales of the thing and probably increase the number of “kids” trying to break into cars. Streisand effect ftw.
The real problem is Flipper Zero is just a nicely packaged tool that can also br easily assembled with other off the shelf parts. And those parts alone can do many other things that should not be made illegal. The real solution should be from car manufacturers and ensuring that they don’t use tech that can be so easily hacked.
Just ordered one. I had no real interest, but once you tell me I can’t have one…I must have one.
RollJam and RollBack are the exploits for bypassing rolling codes. These exploits are possible because you can replay captured codes at a later time.
What’s happening in most cases is the proximity-based fobs are simply amplified with a device to reach the person’s car in the driveway, since most people keep their keys by the door, and in some cases even within reach of the car without a device. It’s this low hanging fruit where the theft happens, or just a tow truck…
The Flipper is more of an enthusiast and pranking device. The devices used in actual thefts are like disposable $50 alibaba pieces of shit. Canada is effectively creating a clandestine market for simple radio amplifiers made from the most basic electronic components. As someone in Canada who used to build the classic cmoy Altoid-tin headphone amps to sell on etsy, this is tempting…
Honestly, I am embarrassed with the whole “look like were doing something” shtick by my government. An expensive gathering of decision makers from various sectors, a National Summit, just to say: we are now gonna be soooo tough on crime and let’s ban the toy we just saw on TikTok.
Car theft was a major problem before 2010 until engine immobilizers became mandatory since 2007 on all vehicles made in Canada
Then everyone got too comfortable. The regulatory bodies and car manufacturers were too focused pretending doing some work and publishing all the buzzword-of-the-day “accomplishments” they were doing while patting each others backs without explicitely requiring manufacturers to comply/implement immediately anything. Meanwhile, manufacturers were happy to integrate almost off-the-shelf “children’s RC” car starter pack obfuscated through invisible/non-existent security and protected under dubious industrial secrets.
Obviously, criminals smelled the easy money. Starting around 2013 — mystery car unlocking device | 2015 — signal repeater car burglary, car thefts by relay attacks were known by automakers but ignored as one-offs, too technical, already dealt with by law enforcement to lets pretent it’s not that big of a problem or leave it to the police. Meanwhile, insurance claim replacement vehicles are selling like hotcakes and it is “convenient” to ignore the problem.
The following years various reprogramming theft become known and finally CAN bus injection — new form of keyless car theft that works in under 2 minutes or in depth investigation by Dr. Ken Tindell, becomes so easy, so cheap and widely available that even kids uses them to gain Youtube/TikTok followers.
Car hacking was a becoming serious concern during the pandemic, but now it’s simply ridiculous and as if current automaker included/provided anti-theft/GPS tracking were (un)knowingly made “defective”.
Hence, everyone is playing catch up and blaming left and right on who is responsible for this in-slow-motion public safety disaster.
Brian Kingston, president and CEO of the Canadian Vehicle Manufacturers’ Association, which includes Ford Motor Company of Canada, General Motors of Canada and Stellantis, said increasing the risk of prosecution is the most effective way to deter vehicle theft.
“And at the same time, providing more outbound inspection controls at the ports to prevent the flow of stolen vehicles to foreign markets by organized criminal organizations,” he added.
New vehicle safety standards have been published (rushed?) recently. We will see if all the panic settles down like after 2007.
Moreover, the exponential prevalence of car theft also laid bare the incredibly poor and ineffective security at the various ports of Canada. Unsurprisingly, it has been a known constant devolution:
Removed by mod
It seems like maybe the problem is that automakers were able to widely market vehicles that use wireless protocols that are relatively easy targets for attack. This was never properly secure.
Automakers should absolutely be held to higher standards (in general) than they are, and it’s not likely that banning specific devices is going to have any measurable outcome here. It’s pretty well known that people buy and sell malware, and people can just… make devices similar to a Flipper with cheaply and readily available hardware.
This is just dumb posturing to avoid holding automakers and tech companies accountable for yet another dumb, poorly thought out, design feature.
And obviously it doesn’t stop at cars. It seems pretty clear that snooping on any feature using RFID or NFC tech is only going to become more widespread. Novel idea: what about using… actual keys as the primary method of granting physical access? Lock picking is obviously possible but a properly laid out disc-detainer lock is pretty goddamn hard to bypass even with the proper tools, and that skill can’t just be acquired in the same way as with electronic methods of bypass.
deleted by creator
They are a fun little tool for hardware hacking and teaching yourself more about what it can do. I bought one last year.
I don’t even know how to use this thing but I bought one reflexively when I got the sense it would likely be outlawed in the future.
I absolutely love mine :)
Ya but, you can’t steal cars with this unit.
If our politicians are not the laughing stock, they should be.
Ah yes banning the tool will 100% take care of the problem.
Clearly criminals who steal cars will DEFINITELY listen to this new law banning their tools.
We just need to make crime illegal 👌
That said, this is the argument that gun-owning cowards use, so does it fall under the “How do we stop this happening, says only country in the world where this happens regularly” category?
Probably a wise move to nip it in the bud
Maybe, but guns are a very different problem.
A toddler won’t kill their sibling with this by accident.
That’s the main issue here, the flipper isn’t useful in car theft
Not only that, you can easily buy more advanced car stealing tools that are made for this purpose from Chinese websites.
